LegRoom.net Kick back and relax

There hasn't been much news posted here lately, so I wanted to give everyone an update on what's going on in regards to the website and various projects hosted here.

Website Spam
As anyone viewing the forum or old posts has undoubtedly noticed, this site has been overrun with spam. Since moving to Drupal 6 a couple years ago, the anti-spam module I used never worked quite right, resulting in a lot of extra work on my part to keep things tidy. After a while I got tired of dealing with the spam, and have simply neglected it since then. This is not good for several reasons, not the least of which is that legitimate posts got drowned out by the noise and never received any attention.

I spent just spent a couple hours deleting all of the spam I could find, so all that should be left on this site are legitimate posts. Unfortunately, at this time I have no good way to keep it that way, which leads into my next topic...

Forum, Comments, and User Accounts
Effectively immediately, the forum and news posts have been switched to read-only mode, and the ability to create new user accounts has been disabled. The end result is that no one can post new comments or topics to either the forum or website, and no one that doesn't already have an account can (automatically) create a new one. I was hoping I'd never have to resort to this, but until I get the time to upgrade my site again and implement an entirely new anti-spam system, I simply have no other way to keep the site clean.

Continuing on the topic of users, I'm also working on cleaning up all of the accounts. Some quick math showed I have about 6500 registered accounts when I started working on this, and I can guarantee that over 6400 of those are simply for spam. As I have no great way to distinguish the difference between legitimate and non-legitimate accounts when dealing in this volume, I'm taking the following approach. Any accounts meeting the following criteria will be deleted:

• Have never logged in
• Have not logged in for more than one year
• Has a last access time within one week of their account creation
• Has a suspicious looking username

I have no doubt this will include some innocent and legitimate users in the mix, and for that I apologize. As noted above, though, I don't have a better way of dealing with all the spam right now, and drastic actions are needed to get things back in order.

If you have a legitimate need to access the site, e-mail me. I can still create accounts manually. If you want to use the forum to post a question about Universal Extractor, I recommend posting to the MSFN forum instead. A bunch of great people frequent those forums, and you're more likely to get a timely response from them then from me for the foreseeable future. For anything else, e-mail me. My address isn't that hard to find if you really need it.

Software Projects
This really isn't anything new, but just to formally announce it: for now, all Legroom.net software projects are on hiatus. This does not mean that I've abandoned them or no longer plan on working on them, just that I don't have the time and/or desire to do so right now. As I said, this isn't anything new - most of this site in general has been on hiatus for a couple of years, so not much will change. When I resume development, don't worry, I'll be sure to post an update. :-)

The SSL certificates used by this website and other related Legroom.net services are expiring soon. As a result, I'm taking this opportunity to revamp the process I use for generating and managing my certificates. The end result will (at least I hope... ) be more flexible and easier to maintain system for me, with less interruptions necessary for my visitors going forward.

Unfortunately, this change also means that all existing Legroom.net certificates are no longer valid (if you received an error when viewing the page through an "https" link today, this is the reason). If you use the SSL version of this site or Legroom.net e-mail, you will need to update your copy of the Legroom.net certificate. In order to do so, please refer to the new Legroom.net SSL Certificates page I created. It's also available through a handy link in the Navigation menu on the left side of the site.

This page covers why I use self-signed certificates on this website, what that means to you, how Legroom.net certificates work, and how to install the Legroom.net CA certificate in a few common browsers and mail clients.

Please let me know if you encounter any problems.

I've just been notified that the download links for Universal Extractor have not been functional, returning a 404 Not Found. This was the result of an inappropriate and inexcusable action taken by the shitty webhost currently hosting these files. I will consequently likely be moving the files soon to another host. In the meantime, the download links are working again. If you notice any similar problems in the future, please e-mail me ASAP.

Information regarding copyright and licensing of Legroom.net content and software has always been apart of Legroom.net, but it hasn't been available in a clear or consistent manner. I'd like to change that.

Historically, all software made available through Legroom.net has been licensed under the GNU General Public License (GPL), version 2. All original content on the site (posts, howtos, etc.) has been copyrighted to me, with (as the saying goes) all rights reserved. This arrangement has worked pretty well for a number of years, but there are a few deficiencies I'd like to address:

• License information for software is generally not clearly presented, often only available in the source code itself. This has lead to numerous inquiries over the years from users and developers interested in using my software.
• A few developers have expressed concern about my choice of the GPL for some software, as the "viral" nature of it can make it difficult to use my software with other, non-GPL software.
• I'd like other people to be able to reuse my content (with certain limitations) where beneficial, but the default copyright noticed I've displayed doesn't make this at all clear.

I've been giving this a lot of thought over the last few months, and have decided to make the following changes:

• All original content (mostly text) on Legroom.net will be available under the Creative Commons Attribution-ShareAlike 3.0 Unported License. This basically allows the content on this site to be reused for any purpose, with two restrictions:
  • Any reuse or derivation of my work must be properly attributed
  • Any reuse or derivation must be redistributed under a similar share alike license, to ensure the work remains "free"

  Complete details can be found in the link above. The copyright notice at the bottom of all Legroom.net pages has been updated to reflect this change.

• Unless otherwise indicated, all of my software will (eventually) be relicensed under the GNU General Public License, version 3. This license change will take place on a per-application basis as new versions are released, which is why it will likely take some time to fully complete. Additionally, license information will be added to each application's web page to make this more clearly available.
• Inno Setup CLI Help and Modify Path (Inno Setup Pascal script) will instead be relicensed under the GNU Lesser General Public License (LGPL), version 3. Since these application components are meant to be used in conjunction with other programs, the use of the GPL, as noted above, can make it difficult to incorporate into programs using non-GPL-compatible licenses. Switching to the LGPL should provide a reasonable compromise between allowing these components to be more widely used, while also preserving their freedom as much as possible. New versions of each will be released shortly to make the license change official.

In addition to the above, I also plan on creating an "about" page at some point that contains a summary of this information, as well as contact information and other appropriate information about the website. Hopefully, all of these changes will help to make Legroom.net licensing and copyright information clearer and easier to understand, and allow my work to be more easily used by others (while keeping it free for everyone).

Comments, questions, and suggestions are always welcome.

Sorry to even have to post this, but apparently my site has been classified as "malicious" by certain parties. It all seems to have originated from this particular malware list:
http://www.malwareurl.com/listing.php?domain=legroom.net

The reason? Someone apparently doesn't like my download script for Universal Extractor. Seriously. This is the "malicious" URL:
http://www.legroom.net/scripts/download.php?file=uniextract16

Any guesses as to what that does? It lets you download Universal Extractor 1.6. Oh, the horror! I use the download script rather than link directly because I need to move the location of the actual installer file from time to time due to bandwidth concerns or other issues. By using the download script to serve up the file, I can easily point it to a new location at any given, implement load balancing if needed, etc., without anyone having to worry about dead links (well, except for people who insist on hotlinking directly to the file against my wishes, but I don't have much sympathy for them).

Apparently someone didn't like my script and reported it. I guess. I haven't been able to get any more information about the issue. I guess I can kind of, sort of, maybe understand the concern about a download script like this, as I guess it could, possible, maybe be hijacked in some way to serve up malicious content, but that's not what happened here. My script is written such a way that it'd be impractical to try to use it for malicious means (I won't say impossible because, quite frankly, anything is possible on the internet); it'll serve up the specified file from a specified URL on a specified remote server and nothing else. If anyone tried to fiddle with it by adding fake filenames, etc., it'll just return an "invalid file" error message.

So someone must've thought the script seemed somehow suspicious, but couldn't bother to do even the simplest of tests to verify it before reporting it to a malware site, and the malware site, of course, listed it without question. And even better, I just discovered that numerous other sites have lowered legroom.net's reputation as well because of this listing, because, naturally, none of them could be bothered to verify the claim either.

And finally, the icing on the cake is that this was originally listed on malwareurl.com on 12/15/2009. That's right, eight months ago. In eight months of being reported, listed, copied and listed, copied again, etc., not once was I ever notified of the dangerous, horrible malicious content on my website. It wasn't until today that a visitor noticed the problem and sent me an e-mail to give me a heads up (coincidentally, two people contacted me today - my heartfelt thanks to both of you). So, it took eight months to find out about a non-existent problem that denied access to or drove away who knows how many people from my website. Fantastic.

Some choice words are coming to mind right now, but I'll refrain because this is a (mostly) family-friendly site.

I get the need for these kinds of sites (I use a few myself for e-mail blacklists), and I can appreciate that many of them are volunteer efforts with limited time and resources. Nevertheless, I think it's reasonable to expect the site operators to:
1. attempt to verify reported content
2. notify the administrative or technical contact of the domain when the site is blacklisted

These steps are not difficult: a simple click wouldn't verified that my script was innocuous, and the notification process could be automated by simply querying whois and sending a standard form letter. If either of those had been done, this issue could've been resolved quickly and easily. Instead, I find out eight months later and I'm pissed. This is not the best way to build support for, or trust in, community-driven security projects.

OK, I'm finished my rant now. On a more positive note, I'd like to thank the operator at malwaredomains.com for a very quick and amicable response to my inquiry about removing the inappropriate listing. Hopefully I can get the source of the problem, malwareurl.com, to correct the problem soon as well.

I've been having issues with my spam module since upgrading to Drupal 6 a while back. It changed behavior very significantly, and in my opinion for the worse. Part of the problem I've been having with it is that content detected as spam is not always reliably reported as such. Sometimes it just disappears, literally. Submitters have the option to submit feedback on posts falsely classified as spam, and I may see that (if I remember to look in a completely different location than the rest of the posts I review), but even when I do see the feedback, the original post itself seems to be purged from the database.

I've noticed this problem before, but I didn't realize how bad it was. I have over a dozen feedback messages I just noticed for false positives, and I cannot approve the original posts because they no longer exist. Beyond that, there's no telling how many posts without feedback were falsely rejected.

The one good(?) thing is that this only seems to affect anonymous comments (which are heavily moderated anyway). If you want to post any comments to my website or forum, please register an account first - this should make sure your post gets through, and even if it is falsely reported as spam I should at least be able to review and approve it.

To everyone else that's been affected by this - my apologies. I do still have the content of the posts you submitted feedback on (as opposed to the original posts that I can simply approve as "not spam"), so I'll try to manually post them to the appropriate locations as myself and respond where appropriate. Please check back over the next day to see if your post made it.

I'm also going to investigate alternative anti-spam options to try to prevent this issue in the future. I'll write a new post about any changes.

Update:  Whew, ended up adding adding quite a few new forum posts and comments. Again, if you've posted a comment that was (falsely) flagged as spam and wondered why it never showed up, please check to see if your post is available now. I apologize once again for the screw up. Hopefully I can find a better spam solution soon.

I've updated my Firefox Tips and Tricks page. This was the first major update since Firefox 2.x, so there have been quite a few changes and updates. I also added a new section for custom styles, mostly for fixing Firefox UI quirks.

Hope you find this helpful.